Privacy and security have evolved. We are seeing various breaches that are devastating organizations across many industries. How can you secure your data in a world full of mobile devices, IoT,and the cloud? I attended the 2017 RSA Conference in San Francisco to dive into the problems organizations are currently facing in the information security world and to discover the latest industry innovations. Here’s a recap of some of the trends and discussions that took place:
Privacy and security – the more they change, the more they stay the same
One of the most salient takeaways revolved around the fact that when we look at the evolution of privacy and security over time, we see that the basic idea behind each concept has remained the same. It’s the way we approach them that’s changing.
The fact is that while the probability of security breaches hasn’t increased much in the past few years, the damage potential of breaches has increased dramatically. As a result, CIOs and CISOs need to focus on the business interests of privacy and security so that they become a part of the company culture itself, rather than being siloed and shrouded in mystery.
Myles Suer, director of solutions and industry marketing at Protegrity, a data security firm, said “The concept of privacy goes back to the story of Adam and Eve; they covered themselves once they realized they had something they needed to hide. The same is true for data security. In a modern business, the need for privacy and data protection hasn’t changed, but our approach to achieving them now consists of creating centrally managed policies and data governance as well as protecting the data itself. This renders the information useless to bad actors by using a data-centric security approach, rather than merely building a firewall.”
A simple example of this is when a top-level executive has a password stolen from one of their social profiles, and the password also happens to be the same one that unlocks their enterprise’s most valuable data. This type of issue is cultural, not infrastructural or even technological. In this sense, another layer of encryption isn’t sufficient because of the need to protect from threats caused by both the inside and the outside.
Vendor consolidation to shore up strategic benefits
In recent years, you’d have many different vendors who would each provide an individual security service. However, the services wouldn’t necessarily integrate well with one another. For example, you’d have one vendor for single sign-on (SSO), another for multi-factor authentication (MFA), and a separate vendor for nearly every other service. The thought process was that each vendor was vying to offer the highest quality single solution, and that multi-solution packages were just crappy software suites that did many things but none of them well.
However, the problem with having so many disjointed solutions is that they leave gaps that create inefficiencies and vulnerabilities in enterprise infrastructure. Enterprises are now looking for integrated platform solutions that provide all of the services they need and at top-tier quality.
Bill Mann, chief product officer at Centrify, an identity management and information security firm, said “It was OK to have individual solutions a few years ago, but now leading vendors have evolved to integrate other parts of the market. Consolidation in identity management is the topic that’s resonating the most with our customers, and this was especially evident in what we heard at RSA. We’ve found that customers see consolidation as a way to more fully secure their enterprise.”
Identity management technologies are becoming integrated
Natural market forces are pushing together multiple overlapping functions because the customer now wants a user experience that’s frictionless. This drives identity management technologies to become integrated. Enterprise customers are actively looking for ways to reduce their number of security vendors, and will replace existing single-point solutions when they find an integrated provider that covers multiple needs instead.
Chris Geisert, vice president of marketing at LockPath, a governance, risk-management and compliance (GRC) firm, perceives the same trend, “We’re seeing aggregation in the industry— people not just coming up with narrow point-based solutions but a more holistic, integrated approach to make information actionable.”
More opportunities for clients to educate themselves before selecting a vendor
Another key trend is that customers are educating themselves more thoroughly about available solutions before making a selection. As a result, vendors are responding by positioning themselves to educate customers and help them make the best decisions for their enterprise.
Geisert said, “The GRC space is maturing and customers want to know how to make big data actionable and turn it into real knowledge. In the past, people would buy a GRC platform without understanding its full capabilities. But now, they’ve become much more sophisticated in terms of selecting the right solution to meet their needs. We responded by creating a content piece that explains what GRC is, what it will do for your business, what are some pitfalls and questions to ask, what are the myths about it, and even provides a sample RFP they can customize and use to seek out vendors.”
Mann recommends that customers focus on their high-level strategic goals and then find solutions that correspond as closely as possible. He said, “Think of the bigger picture and pick the platform that will solve all your immediate problems rather than choosing a single part of the solution. Having vendors explain how their solutions address your landscape of challenges is the best way to evaluate them.”
Suer said, “People have seen others being hacked and they want to know how to protect themselves. As such, they want to figure out how to easily govern data across data silos and create centrally managed data access policies that cover all systems and users. We think that you should still put up a firewall and use encryption, but you also need to limit damage that can be done if hackers breach – protect the data itself. That way there’s no ‘full monty’.”
This year’s RSA conference was very informative about what’s going on in the information security industry. It will be interesting to watch how these key trends shape InfoSec in the coming years. In the meantime, the focus remains on making data secure, private, efficient and actionable.